deal with url encode (#4113)
diff --git a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
index 5333b24..f7158b4 100644
--- a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
+++ b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
@@ -23,6 +23,8 @@
import org.apache.commons.lang3.StringUtils;
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
@@ -93,6 +95,12 @@
if (StringUtils.isBlank(url)) {
throw new LinkisSecurityException(35000, "Invalid mysql connection cul, url is empty");
}
+ // deal with url encode
+ try {
+ url = URLDecoder.decode(url, "UTF-8");
+ } catch (UnsupportedEncodingException e) {
+ throw new LinkisSecurityException(35000, "mysql connection cul decode error: " + e);
+ }
if (url.endsWith(QUESTION_MARK) || !url.contains(QUESTION_MARK)) {
logger.info("checkJdbcSecurity target url: {}", url);
return url;
@@ -126,6 +134,18 @@
return paramsMap;
}
+ // deal with url encode
+ String paramUrl = parseParamsMapToMysqlParamUrl(paramsMap);
+ try {
+ paramUrl = URLDecoder.decode(paramUrl, "UTF-8");
+ } catch (UnsupportedEncodingException e) {
+ throw new LinkisSecurityException(35000, "mysql connection cul decode error: " + e);
+ }
+
+ Map<String, Object> newParamsMap = parseMysqlUrlParamsToMap(paramUrl);
+ paramsMap.clear();
+ paramsMap.putAll(newParamsMap);
+
Iterator<Map.Entry<String, Object>> iterator = paramsMap.entrySet().iterator();
while (iterator.hasNext()) {
Map.Entry<String, Object> entry = iterator.next();
diff --git a/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java b/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java
index 9d4893e..4fdca7b 100644
--- a/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java
+++ b/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java
@@ -91,6 +91,15 @@
SecurityUtils.checkJdbcSecurity(atomUrl.get());
});
+ // url encode
+ url = "jdbc:mysql://127.0.0.1:10000/db_name?allowLocalInfil%65=true";
+ atomUrl.set(url);
+ Assertions.assertThrows(
+ LinkisSecurityException.class,
+ () -> {
+ SecurityUtils.checkJdbcSecurity(atomUrl.get());
+ });
+
// value is not security
url = "jdbc:mysql://127.0.0.1:10000/db_name?p1=allowLocalInfile";
atomUrl.set(url);
@@ -118,6 +127,11 @@
Assertions.assertEquals("v1", newMap.get("p1"));
// key not security
+ paramsMap.put("allowLocalInfil%67", "true");
+ SecurityUtils.checkJdbcSecurity(paramsMap);
+ Assertions.assertEquals("true", newMap.get("allowLocalInfilg"));
+
+ // key not security
paramsMap.put("allowLocalInfile", "false");
Assertions.assertThrows(
LinkisSecurityException.class,
@@ -134,6 +148,15 @@
SecurityUtils.checkJdbcSecurity(paramsMap);
});
+ // value not security
+ paramsMap.clear();
+ paramsMap.put("p1", "allowLocalInfil%65");
+ Assertions.assertThrows(
+ LinkisSecurityException.class,
+ () -> {
+ SecurityUtils.checkJdbcSecurity(paramsMap);
+ });
+
// contains #
paramsMap.clear();
paramsMap.put("p1#", "v1");